# Hacker101 CTF {Micro-CMS-v1} ## CHALLENGE DESCRIPTION Hacker101 CTF is a game designed to let you learn to hack in a safe, rewarding environment. Hacker101 is a free educational site for hackers, run by HackerOne. This CTF is another integral component in our plans to make the world a better place, one bug at a time *** ## **Challenge Information** * **Category:** Web * **Difficulty:** Very Easy * **Objective:** Exploit web vulnerabilities to retrieve the flag. * **Tag :** IDOR , XSS, SQLi *** ## **Identifying Functionality** Upon accessing the **Micro-CMS-v1** website, the following functionalities were observed: * **Testing Page (/page/1)** – Sample page already created. * **Markdown Page (/page/2)** – A sample markdown page has already been created. * **Edit(/page/edit/{id})** – To edit page. * **Create Page (/page/create)** – Create new page with Title and Content.

Landing page once visiting the URL

Testing Page /page/1

Edit page for /page/edit/2

Create Page /page/create

*** ## SOLUTION ### IDOR #### **Vulnerability Analysis** * The **edit page** was vulnerable to **IDOR** due to improper access control. * The **application** used sequential numerical IDs, allowing an attacker to manipulate them. * By modifying the **id parameter**, an attacker could edit another user's page, leading to unauthorized content changes and potential data leaks. #### **Exploitation Steps** 1. Navigate to the `/page/{id}` and `/page/edit/{id}`.

/page/1

2. Change the ID to another number. Examples 1 and 2.

/page/edit/2

3. The attacker can view and edit another user’s content if unauthorized access is granted.

/page/edit/6

4. This confirms the **IDOR vulnerability**, allowing unauthorized modifications. *** ### SQL Injection #### **Vulnerability Analysis** * The **edit page** was vulnerable to **SQL Injection** due to unsanitized user input being directly inserted into SQL queries. * This allowed attackers to manipulate database queries, retrieve sensitive information, and modify stored records. #### **Exploitation Steps** 1. Navigate to the edit endpoint `/page/edit/{id}`. 2. Inject a basic SQL Testing Payload into `/page/edit/{id}'`

/page/edit/1'

3. If successful, unauthorized data is retrieved *** ### Stored XSS #### **Vulnerability Analysis** * The **page creation and editing functionalities** (`/page/create`, `/page/edit/{id}`) were vulnerable to **Stored Cross-Site Scripting (XSS)**. * Malicious JavaScript could be injected into the **Title** field. * Whenever another user viewed the affected page, the script would execute, leading to **session hijacking and credential theft.** #### **Exploitation Steps** 1. Navigate to the page creation`/page/create`.

/page/create

2. Submit a Testing Payload in the Title and Content Field.

Sample XSS script being used.

3. When another user views the page, it will trigger the script.

Proof of XSS being trigger

*** ### Reflected XSS #### **Vulnerability Analysis** * The **page creation and editing functionalities** (`/page/create`, `/page/edit/{id}`) were vulnerable to **Reflected Cross-Site Scripting (XSS)**. * Malicious JavaScript could be injected into the **Content** field. * When a victim clicks the button, the script is executed**.** #### **Exploitation Steps** 1. Navigate to the page creation`/page/create`. 2. Inject a **malicious payload into the button element.**

/page/create

3. If the application does not sanitize input, clicking the button triggers the JavaScript execution

XSS being trigger

4. When the victim clicks the button, the flag is reflected in the Dev-Tools, confirming the **Reflected XSS** vulnerability

Reflected Flag in Source Code

***